Community Health Systems, Inc. experienced a criminal external cyber-attack affecting about 4.5 million patients- What CHS did right and important take aways for hospitals
Community Health Systems, Inc.,(“CHS”) a for-profit hospital chain, who owns multiple hospitals in Pennsylvania, experienced a criminal cyber attack in April and June 2014 supposedly caused by a hacker group in China. The information sought was intellectual property information such as medical device and equipment development data; it did not include patient medical information, payment information or patient clinical information. Instead, the stolen information included protected health information (“PHI”) under the Health Insurance Portability and Protection Act of 1996 (“HIPAA”) such as patient names, addresses, birth dates, telephone numbers and social security numbers. Because the hacked information was PHI and involved so many patients, CHS was under a HIPAA obligation to report the breach to the Office of Civil Rights (“OCR”), within 60 days of its knowledge of the breach. From reading between the lines, it appears that CHS did multiple things right in responding to this data breach, and other hospitals can learn some valuable lessons from CHS’ misfortune.
- Have in a place a robust security system which meets all of the OCR’s Security requirements to timely detect the breach. Appropriate system safeguards which comport with regulatory requirements helps to both mitigate the extent of the breach and minimizes exposure to fines and penalties potentially caused by the breach.
- Obtain outside expertise to assist with auditing the breach trail and cause. If the breach appears to involve criminal activity, notify the appropriate investigative authorities to avail yourself of their resources and to distance the organization from the illegal activity.
- Report the breach as soon as possible to the OCR (even before the 60 day notice period) unless advised by investigative authorities to delay the notice. Hospital’s don’t need all the facts and a fully completed investigation before notifying the OCR. You may get obtain political “good will” from the OCR for early notification.
- Protect your hospital’s bottom line with appropriate cyber breach insurance coverage. Multiple coverage forms are now commercially available. Once caveat here. Ensure that your coverage permits you to retain your own counsel and to call the shots in responding to the breach. While the insurer’s advice is valuable, you don’t want your hands tied in responding to patients, who after all, are ultimately the focus of your breach minimization efforts.
- Provide correct information to patients in accordance with HIPAA’s requirements and help to ease affected patient’s anxiety about their financial exposure by providing identity theft protection free of charge for a minimum of one year.
- Prepare for a breach response before it happens:
- Establish and Implement a written data breach response policy
- Designate your response team and leaders
- Have an emergency contact list with all the “C suite” executives, legal counsel, Human Resources, IT, PR/Marketing
- Include in your plan an internal reporting system
- Implement, as necessary, a call center to address the calls of patients and affected families
- Provide all mandated communications to your patients in the prescribed manner under HIPAA or applicable state law
- Communicate, communicate, communicate with your patients by providing a timely consistent message about what is known at the current time
- Preserve all data and digital evidence
- Conduct a post-breach debriefing to examine how the response can be improved in the event of a future breach- it will happen again.